On July 2018, OutSystems became aware of a vulnerability present on an endpoint used to retrieve images from the database more precisely, _image\aspx.cs on .NET stacks and _image.java on Java stacks.
OutSystems has assessed the impact and risk of this vulnerability for both cloud and on-premises deployments across all supported stacks and classified it accordingly using the CVSS 3.0 scoring system.
The information in this communication will allow you to ascertain the level of exposure your systems may have, and how you should proceed to mitigate the threat.
This vulnerability affects all supported Platform Server stacks.
Base Score: 8.7 (High)
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
To understand the phases involved in the process, how and when we communicate, check this article.
- Embargo phase: This vulnerability was first communicated to all customers on October 31, 2018
- Public disclosure: Full details on this vulnerability were already disclosed.
This vulnerability is present when a module uses an Image Widget fetching images from an Entity with an Integer or Long Integer identifier. Entities with Text identifiers are not affected by this vulnerability.
In this situation, it is possible for an unauthenticated attacker to inject a SQL query into the generated image endpoint and retrieve any data from the database.
The following System Components are installed by OutSystems by default and contain a vulnerable endpoint:
- LifeTime (not present in all environments)
Protecting your OutSystems Platform
OutSystems notified cloud customers and updated all cloud infrastructures to version 10.0.828.0 or higher.
OutSystems issued new releases of the Platform Server that address this vulnerability.
All customers that have yet to update their platform instances are strongly encouraged to do so.
Exceptionally, and even though at the time this vulnerability was detected, version 9.1 was already out of mainstream support, OutSystems also produced a fix for this version. The release containing the fix is 9.1.616.0.
The fixes are available from release 10.0.828.0 onwards.
OutSystems 11 was not affected.
For on-premises instalations, a Platform upgrade is strongly advised.
If you do not have the opportunity to upgrade, we advise you to use the OutSystem’s Zones feature to not deploy any vulnerable System Component in publicly facing websites.
OutSystems PaaS infraestructures do not require any workaround as they were all patched and are protected.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker will have full access to all data stored by the OutSystems Platform.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform to the above-mentioned version that applies.|
|Will OutSystems share any more information about this vulnerability?||All the details that can be shared were already disclosed in this article.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|